Coalition could allow firms to buy access to facial recognition data

The federal government is considering allowing private companies to use its national facial recognition database for a fee, documents released under Freedom of Information laws reveal.
The partially redacted documents show that the Attorney General's Department is in discussions with major telecommunications companies about pilot programs for private sector use of the Facial Verification Service in 2018. The documents also indicate strong interest from financial institutions in using the database.
The government has argued that the use of facial recognition is necessary for national security and to cut down on crimes such as identity fraud. The Attorney General's Department says private companies could only use the service with the person's consent.
But experts and civil society advocates have expressed concerns over lack of transparency and oversight of facial recognition programs.
Monique Mann, a director of the Australian Privacy Foundation and a lecturer at the faculty of law at the Queensland University of Technology, said that requiring companies to ask for consent may not be enough to protect consumers' rights or mitigate the risks involved with biometric data, and would encourage firms to store more data.
"There are questions about whether individuals are able to make voluntary informed decisions and opt out of these schemes, even if they are aware that it is happening.
"If the alternative would be not being able to access important services, like opening a bank account, can you really say that customers are giving their consent freely?
"In practice, this program will effectively encourage private companies to build their own facial recognition databases. Once that data is created, it becomes very difficult for people to know how securely it will be stored, who it will be shared with and what information it will be connected to, and to what end."
The government struck a deal with states and territories over the controversial national facial recognition database last month. According to the documents, which predate the agreement, at that time 50% of the population was already included in the database. With the help of state and territory governments, the federal Attorney General's Department planned to expand that number to cover 85% of Australians.
According to the partially redacted documents, "the [Attorney General's] Department is currently in exploratory discussions with some of the major telecommunications carriers [redacted] regarding their potential use of the [Face Verification Service]." Under the plan, companies using the FVS would collect a facial image of their customer and send it to the "Biometric Interoperability Hub".
The hub then uses the national database to check the photo against an image on one of their government records, such as a passport or driving license photo, to verify that it is the same person. The company would receive a yes/no response, without seeing the image held by the government or having direct access to the database.
The process will be similar to the current Document Verification Service (DVS), which has been available to private companies since 2014 and is used to verify information on customers' driving licenses, passports, Medicare cards, visas, citizenship certificates and immigration cards.
Companies pay a fee to the government for each transaction with the DVS. Some 15.5m private business transactions were processed in 2016, most of them by telecommunications companies. According to the released documents, "this has provided a consistent and growing source of revenue to fund further security initiatives. Private sector use of the FVS could provide similar benefits".
The documents also note that in addition to discussions with the telecommunications companies "large financial institutions have shown a strong interest in accessing the FVS.
"Use of the FVS would address vulnerabilities created by identity takeover… [and] support the financial sector in complying with their obligations under the anti-money laundering/counter terrorism financing regulations and be positive generally for identity security".
A spokesperson for the Attorney General's Department said that no pilot programs had currently commenced, but declined to answer questions about which companies the department is in discussions with for pilot programs or how far those discussions have progressed. 12 telecommunications providers currently use the DVS, including Optus and Telstra.
According to the department spokesperson: "Any private sector organisations using the FVS would need to demonstrate their lawful basis to do so under the Privacy Act, and could only use the FVS where they gain a person's consent to use their images.
"These and other controls will be included in legally binding arrangements with the commonwealth into which all users of the service will enter. The arrangements for private sector access will be informed by an independent privacy impact assessment.
"Use could initially be for access to images held by commonwealth agencies. Access to driver license images would be subject to the agreement of state and territory governments."
In order to use the FVS as planned, private companies which are not currently collecting biometric data will need to start gathering facial images of their customers to send for verification. Once they have invested in creating and verifying the images, there are concerns that companies are unlikely to simply delete them.
The recent mass data breach at Equifax, which exposed highly sensitive personal information such as medical histories, credit scores and social security numbers belonging to over 143 million US citizens, added to concern. Equifax is currently one of the approved gateway service providers for the Australian DVS.
Tim Singleton Norton, the chair of Digital Rights Watch, said: "There is a severe lack of strong oversight mechanisms and general enforcement for human rights and civil liberties in this country, which results in the public being understandably wary about giving government more powers in the first place.
"The public need to be able to trust that governments can adequately store and protect this information from theft or misuse.
"When individuals enter into an agreement with a government agency that includes their personal information, they should have the right to understand, be informed and have a say in where that information is held and what is being used for.
"That includes knowing who is able to make use of their data. The government should be transparent with the public about their negotiations with private companies to allow the use of the facial recognition database, and how those companies will be held accountable for securing the biometric data they create as part of this program."